Re: [Linphone-users] linphone more about security - ZRTP on windows 3.6.0

[Guillaume Beraudo]

Hi,

The 3.6.0 release links on an old version of libzrtpcpp.

I cloned zrtpcpp master and observed that it would need work
to use the latest zrtpcpp version.

It used to be possible to compile zrtpcpp without ccrtp.
I couldn't manage to do it with this version; perhaps the new way require
to move our ortp glue code directly in zrtpcpp.

Anyway, comments and patches welcome.

Guillaume


On Tue, Jul 09, 2013 at 05:02:04PM +0000, JC wrote:
> does the newest stable release (3.6.0) contain the updated libzrtpcpp which 
> does not contain these vulnerabilities: 
> http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html
>  
> 
> if 3.6.0 is still effected by the security flaws, what version of linphone 
> will have them fixed,when will you release it?
> 
> 
> 
> On Monday, July 08, 2013 at 7:26 AM, "Guillaume Beraudo" <address@hidden> 
> wrote:
> >
> >Hi,
> >
> >> >Open settings to enable TLS and ZRTP.
> >> >The SAS will be displayed next to a lock pictogram in the 
> >incall 
> >> >view.
> >
> >> when these things are set enable and you see the SAS displayed 
> >then conversation is end to end encrypted?
> >
> >At that point the conversation will be encrypted, both audio and 
> >video.
> >However, you are responsible as a participant to check the SAS and 
> >authentify
> >the peer you are communicating with.
> >
> >If picto, SAS and remote peer authentication are handled 
> >correctly, then you can be
> >sure that the communication is trully end-to-end encrypted.
> >
> >In this case both participants should validate the SAS which will 
> >allow automatic
> >checking for future communications with the same peer.
> >
> >
> >Cheers,
> >Guillaume
> >
> >On Fri, Jul 05, 2013 at 11:41:52AM +0000, JC wrote:
> >> when these things are set enable and you see the SAS displayed 
> >then conversation is end to end encrypted?
> >> 
> >> 
> >> >Hi,
> >> >
> >> >ZRTP is present in release 3.6.0.
> >> >However, version 3.6.1 has been released without ZRTP, by error.
> >> >
> >> >Open settings to enable TLS and ZRTP.
> >> >
> >> >The SAS will be displayed next to a lock pictogram in the 
> >incall 
> >> >view.
> >> >
> >> >
> >> >Guillaume
> >> >
> >> >
> >> >On Thu, Jul 04, 2013 at 08:17:23PM +0000, address@hidden 
> >wrote:
> >> >> > There are several choices:
> >> >> > - TLS + srtp: the encryption is done using the certificate 
> >on 
> >> >the server;
> >> >> > - ZRTP: the conversations are truly encrypted end-to-end 
> >and 
> >> >requires
> >> >> > participants to check the SAS.
> >> >> 
> >> >> how do you check the sas as windows user using your free sip 
> >> >servcice?
> >> >> 
> >> >> > As a consequence, even when using ZRTP you should still be 
> >> >using TLS signaling 
> >> >> > encryption.
> >> >> 
> >> >> how do you enable tls and zrtp is this enabled on default 
> >when 
> >> >using windows version with your sip service?
> >> >> 
> >> >> 
> >> >> >> is there a portable version of linphone that is self 
> >> >contained?
> >> >> > On wich platform?
> >> >> 
> >> >> Windows
> >> >> 
> >> >> 
> >> 
> >> 
> >> _______________________________________________
> >> Linphone-users mailing list
> >> address@hidden
> >> https://lists.nongnu.org/mailman/listinfo/linphone-users
> >
> >_______________________________________________
> >Linphone-users mailing list
> >address@hidden
> >https://lists.nongnu.org/mailman/listinfo/linphone-users
> 
> 
> _______________________________________________
> Linphone-users mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/linphone-users